Skip to content

Windows Defender ATP

Windows Defender ATP

About

Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

With the integrated Microsoft 365 Defender solution, security professionals can stitch together the threat signals that each of these products receive and determine the full scope and impact of the threat; how it entered the environment, what it's affected, and how it's currently impacting the organization. Microsoft 365 Defender takes automatic action to prevent or stop the attack and self-heal affected mailboxes, endpoints, and user identities.

Product Details

Vendor URL: Windows Defender ATP

Product Type: EDR

Product Tier: Tier I

Integration Method: Custom

Integration URL: Defender for Endpoint Raw Data Streaming API

Log Guide: Windows Event Log Reference

Parser Details

Log Format: JSON, Syslog, and XML

Expected Normalization Rate: 80%

Data Label: WINDOWS_DEFENDER_ATP

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
category metadata.product_event_type
operationName metadata.description
properties.AccountDomain principal.administrative_domain
properties.AccountName principal.user.userid
properties.AccountSid principal.user.windows_sid
properties.ActionType security_result.action_details
properties.CertificateSerialNumber network.tls.client.certificate.serial
properties.ClientVersion principal.asset.software.version
properties.DeviceId principal.asset_id
properties.DeviceName principal.hostname
properties.DnsAddresses network.dns.authority.name
properties.FileSize target.file.size
properties.FolderPath target.process.file.full_path
properties.InitiatingProcessAccountDomain principal.administrative_domain
properties.InitiatingProcessAccountName principal.user.userid
properties.InitiatingProcessAccountSid principal.user.windows_sid
properties.InitiatingProcessAccountUpn principal.user.user_display_name
properties.InitiatingProcessCommandLine principal.process.command_line
properties.InitiatingProcessFileSize principal.process.file.size
properties.InitiatingProcessFolderPath principal.process.file.full_path
properties.InitiatingProcessId principal.process.pid
properties.InitiatingProcessMD5 principal.process.file.md5
properties.InitiatingProcessParentId principal.process.parent_pid
properties.InitiatingProcessSHA1 principal.process.file.sha1
properties.InitiatingProcessSHA256 principal.process.file.sha256
properties.IPAddresses principal.ip
properties.IPv4Dhcp network.dhcp.ciaddr
properties.Issuer network.tls.client.certificate.issuer
properties.LocalIP principal.ip
properties.LocalPort principal.port
properties.LoggedOnUsers.DomainName principal.administrative_domain
properties.LoggedOnUsers.Sid principal.user.windows_sid
properties.LoggedOnUsers.UserName principal.user.userid
properties.MacAddress principal.mac
properties.PreviousRegistryKey src.registry.registry_key
properties.PreviousRegistryValueData src.registry.registry_value_data
properties.PreviousRegistryValueName src.registry.registry_value_name
properties.ProcessCommandLine target.process.command_line
properties.Protocol extensions.auth.auth_details
properties.PublicIP principal.nat_ip
properties.RegistryKey target.registry.registry_key
properties.RegistryValueData target.registry.registry_value_data
properties.RegistryValueName target.registry.registry_value_name
properties.RemoteIP target.ip
properties.RemotePort target.port
properties.RemoteUrl target.url
properties.SHA1 network.tls.client.certificate.sha1
properties.SignerHash network.tls.client.certificate.sha256

Product Event Types

Event UDM Event Classification
all other GENERIC_EVENT
DeviceLogonEvents USER_UNCATEGORIZED
DeviceNetworkEvents NETWORK_CONNECTION,GENERIC_EVENT
DeviceProcessEvents PROCESS_UNCATEGORIZED

Log Sample

{"category":"AdvancedHunting-DeviceLogonEvents","operationName":"Publish","properties":{"AccountDomain":"domain","AccountName":"svc","AccountSid":"sid","ActionType":"LogonSuccess","AdditionalFields":"{\"IsLocalLogon\":false}","AppGuardContainerId":"","DeviceId":"devid","DeviceName":"n.domain.com","FailureReason":null,"InitiatingProcessAccountDomain":null,"InitiatingProcessAccountName":null,"InitiatingProcessAccountObjectId":null,"InitiatingProcessAccountSid":null,"InitiatingProcessAccountUpn":null,"InitiatingProcessCommandLine":null,"InitiatingProcessCreationTime":null,"InitiatingProcessFileName":null,"InitiatingProcessFileSize":null,"InitiatingProcessFolderPath":null,"InitiatingProcessId":0,"InitiatingProcessIntegrityLevel":null,"InitiatingProcessMD5":null,"InitiatingProcessParentCreationTime":null,"InitiatingProcessParentFileName":null,"InitiatingProcessParentId":0,"InitiatingProcessSHA1":null,"InitiatingProcessSHA256":null,"InitiatingProcessTokenElevation":"None","InitiatingProcessVersionInfoCompanyName":null,"InitiatingProcessVersionInfoFileDescription":null,"InitiatingProcessVersionInfoInternalFileName":null,"InitiatingProcessVersionInfoOriginalFileName":null,"InitiatingProcessVersionInfoProductName":null,"InitiatingProcessVersionInfoProductVersion":null,"IsLocalAdmin":null,"LogonId":logon,"LogonType":"Network","MachineGroup":null,"Protocol":"NTLM","RemoteDeviceName":"device","RemoteIP":"10.10.10.10","RemoteIPType":"Private","RemotePort":39387,"ReportId":26156,"Timestamp":"2021-09-30T12:54:53.1498857Z"},"tenantId":"redacted","time":"2021-09-30T12:57:43.3391759Z"}

Sample Parsing

metadata.event_timestamp = "2021-10-01T13:32:27.157242Z"
metadata.event_type = "USER_UNCATEGORIZED"
metadata.vendor_name = "Microsoft"
metadata.product_name = "Windows Defender ATP"
metadata.product_event_type = "AdvancedHunting-DeviceLogonEvents"
metadata.description = "Publish"
metadata.ingested_timestamp = "2021-10-01T13:32:27.157242Z"
principal.hostname = "n.domain.com"
principal.asset_id = "WD:devid"
principal.user.userid = "svc"
principal.user.windows_sid = "sid"
principal.process.pid = "0"
principal.process.parent_pid = "0"
principal.administrative_domain = "domain"
principal.asset.asset_id = "WD:devid"
target.ip = "10.10.10.10"
target.port = 39387
target.asset.ip = "10.10.10.10"
security_result.action_details = "LogonSuccess"
extensions.auth.auth_details = "NTLM"

Parser Alerting

This product currently does not have any Parser-based Alerting